Posted
by
Soulskillon Friday August 12, 2011 @02:18PM
from the now-use-head-for-something-other-than-target dept.

snydeq writes "Apple has much to learn about securing an operating system, and it could learn how from Microsoft, Roger Grimes writes in the wake of further evidence that Macs are more vulnerable to attack than Windows machines. 'It's taken Microsoft 10 years to turn security from a weakness into a strength. Apple can use the lessons learned by Microsoft to manage a quick turnaround. Apple has already hired one of Microsoft's former security leaders, Window Snyder, and it has adopted a modified form of Microsoft's Security Development Lifecycle programming practices. Apple has the benefit of seeing how Microsoft fixed its past mistakes.'"

MS is the typical fast followers - let someone else test the market; then jump in and take advantage of the new market while learning from the pioneer's mistakes. then push big to capture the market and crowd everyone else out. Once you're in you can expand and improve your product. It's been pretty effective for them over the years.

Meanwhile actual hackers, like the guys who won the Pwn2own contests by beating OSX security, now say OSX Lion is more secure than Windows [macnn.com] (even though they previously freely admitted Snow Leopard was trailing Windows' [macobserver.com] latest offering in that department.)

"Both Miller and his co-author in the book The Mac Hacker's Handbook, Dino Dai Zovi of Trail of Bits said that from a security perspective, Snow Leopard was little better on Leopard, but that Lion is a "significant improvement." Zovi describes the level of security in Lion as "Windows 7 plus plus." Apple hired the inventor of the BitFrost security system for OLPC, Ivan Krstic, two years ago in an effort to beef up core OS security. Krstic's methods in BitFrost mirror closely what has now been implemented in Lion."

sigh... windows security was highly compromised by a few very simple things. It encouraged users to be Admins by making simple tasks require admin, its registry required modifying system resource handles by untrusted apps, and it had no way to tag files as tainted after a download to warn users when they opened them.

Then the access controls that were implemented swung the pendulum too far too early. Unix permissions on a mac are useful while not being terribly difficult to maintain. The OS will take ca

Because for every "big new hope" security feature that you described, except default sandboxing for all (it has been in IE for awhile), Microsoft brought into Windows starting with XP Service Pack 2, which came out in 2004.

Because for every "big new hope" security feature that you described, except default sandboxing for all (it has been in IE for awhile), Microsoft brought into Windows starting with XP Service Pack 2, which came out in 2004.

Complex ACLs have been around since the inception of NTFS, and remain better than most other commonly used FS ACL options (someone is likely to make a fool out of me with such a broad statement, but oh well).

[Windows] encouraged users to be Admins by making simple tasks require admin, its registry required modifying system resource handles by untrusted apps, and it had no way to tag files as tainted after a download to warn users when they opened them.

...

I dont' see why anyone would think that Apple is a follower of MS.

Because IE6 introduced tagging files as downloaded so you get a warning when you open them. Vista defaults new users to non-admin accounts and even on admin accounts runs apps at user privilege level and asks for the admin password as required. It also had built in sandboxing (IE7 used it) and virtualised both the filesystem and the registry, on top of tightening up ACLs.

Apple has been introducing similar changes at a later time, which is the definition of "following". Not necessarily "copying" or "catch

These people are definitely better informed about the internals of the operating systems in question. Too many security "experts" simply know now to read books and articles written by other security "experts", and a number of them are paid shrills for various operating system owners. If someone can Pwn your system, then go and tell you both how and why they were able to do it, I would trust their opinion more than someone who is a talking head at some Magazine, Website or TV program!

There are many place where you can sign up to do "reviews" and/or run blogs that are actually supported by various companies. A person I know makes a living doing this. Similarly, publishers and authors use promo companies that will go and write good reviews for their books on Amazon, and bad reviews of their competitors...

There are many place where you can sign up to do "reviews" and/or run blogs that are actually supported by various companies. A person I know makes a living doing this. Similarly, publishers and authors use promo companies that will go and write good reviews for their books on Amazon, and bad reviews of their competitors...

ttyl
Farrell

You're missing the point of his post. The point is that you used the wrong word. The word you want is "shills", not "shrills".

IMV, Apple products/features over the course of the last 5-8 years follow a fairly straightforward model which can be broken down into a few steps.

1. Release Not-Terribly-Shiny Version 1.0. It may not be the most sophisticated in the world, it may have a whole heap of issues. But it will be released. The rest of the world says "ho-hum". It probably won't sell spectacularly, but it won't be an abject failure. (See also: First generation iPod. First generation iPhone. OS X when first released.)2. Release Shiny Version n+1. It fixes most of the issues of the previous version. Technologically it's unusual for it to do anything new, anything that the competition doesn't already do. But what it does it executes with so much style, so much polish that the rest of the industry is left looking rather pathetic and scrabbling to catch up. It sells spectacularly. (See also iPhone 3G)3. Apple will rest on its laurels. There will be updates to their products, but by and large they'll be relatively minor increments rather than ground-breaking "my God that's amazing" ideas. These will be released as Shiny Version 3.0 and 4.0. (See also iPhone 3GS, OS X versions 10.3-10.4).4. The rest of the industry will catch up. Products will appear that compete with Apple's equivalent on features, price and polish. Then, just as people are starting to seriously question Apple and wonder what they're doing...5. Repeat steps 2-4.

If I'm right, the iPhone 5 won't be a huge breakthrough over the iPhone 4. It may have a few tweaks here and there, but it won't be "Steve, take me now!" fantastic. The iPhone 6, however, will probably be leaps and bounds ahead of the 5.

Yeah but, on the other hand, talking to hackers, even information security experts, isn't really good enough. There are too many opinions out there and not enough facts.

The first problem is that we don't have any sort of useful objective metric to compare the security of various operating systems. "Number of vulnerabilities found" is unfair to the popular ones. "Severity of the worst vulnerability found" is useless because everyone has remote root exploits found from time to time.

OSX Lion is also a whopping 3 weeks old, while Win7 is 2 years old. Want to bet that when Windows 8 comes out, it will be more secure than OSX Lion?

Regardless, you and I both know that when the next Pwn2Own comes along, the Probook is going down first. Where the money is, there will be the exploits.

Sure I hope every OS that comes out after Lion will be even more secure, I wouldn't mind a security arms race. I was just pointing out that Apple has (privately at least) acknowledged some of its shortcomings and is taking steps.

The next Pwn2own will certainly be interesting as the traditional attack vector, Safari, has had a lot of work done under the hood. Can't wait to see what they'll come up with.

I first met Window about 12 years ago, she was sharp and capable when it came to security. I doubt much has changed. In terms of achievement, not every achievement ends up being a big publicized event where implementors are handed plaques to commemorate the occasion. Security is a boring and incremental effort when you're trying to improve process.

So, I guess I'm a little biased with the (weak) personal connection, but don't hate just because you don't know who she is or what she's done.

Most security professionals (and even famous hackers, like pwn2own winners) today acknowledge that Microsoft security development practices are very good, and so are their latest OS. Everbody who has not devolved into pure fanboism understands that this can be the case even if they still have a higher volume of issues than Mac have for now.

It takes a long time for "common knowledge" to change. Take for example American cars. Whether you think they're on par or not they have made a lot of progress in catching up with foreign manufacturers but are still largely considered inferior products.

'It's taken Microsoft 10 years to turn security from a weakness into a strength"

Really? A strength? Seriously?

Is that why we got the ping of death back in Vista/Win7/2008 because of a forked TCP stack?....Because Security is a "Strength" for Microsoft?

Honestly, while security *may* be better [and I'm not sure that's true] at MS, it certainly IS NOT a strength of theirs.

If that's the view of the moron who wrote this - I'll trust everything else written with the same level of massive skepticism. [i.e. It's clear a moron wrote this - so I'll trust everything else in here just as much as I'd trust any other moron.]

Really? A strength? Seriously?
Is that why we got the ping of death back in Vista/Win7/2008 because of a forked TCP stack?....
Because Security is a "Strength" for Microsoft?

You'll notice a great majority of the exploits are found in old code. They've got quite rigorous security practices now, and their new code is benefiting greatly from it. I don't know if I'd say security is a strength of their products right now, as there's plenty of old code left to exploit. But they're certainly on the path to get there.

MS: "Yeah, your home is like Fort Knox - no one will break in through the new stuff we built. Mumble mumble mumble"Me: "What was that mumbling?"MS: "Well, everything is really secure, except the old stuff - like, you know, the doors and windows. That's old stuff. You can't hold us responsible, even if we built it. Only the new stuff matters and it's like a rock! No one will break in through the roof or walls!"Me: "Ah, yeah - I feel so much better already!"

It's taken Microsoft 10 years to turn security from a weakness into a strength

The only thing "strong" about windows security is the botnets that grow to 100,000 computers strong

Until MS expunges the litany of windows-running botnets from my inbox I'm not buying that BS. If they can take down the botnets, I'll acknowledge they've taken security seriously from a consumer protection standpoint. They can trot around the ring all day long yelling "We're tough on security now!" and I'll sit back with an "I'll believe it when I see some results" attitude. Put up or shut up. Ya I know, fat chance, but that's my opinion on it.

And, of course, they have a program you can add to Windows (but can't ship with Windows for antitrust reasons (thanks Symantec!)) called Microsoft Security Essentials [microsoft.com] to actually help protect against user stupidity,

I really can't think of two companies that approach the problem from such different directions:

Apple has a very top-down developer/third party attitude about its relationship with developers. It loves them and everything, but they take the interpretation of their developer documentation very seriously, they don't give product or platform roadmaps, and they will change, deprecate and remove APIs such as their wont. To Apple, the computer buyer is the customer, and the developers are a sort of collateral operation. Microsoft sees developers as their main customers, and go to extraordinary lengths to make sure that if a program ran under some version of Windows, it will always run without the developer having to update -- if it runs once, Microsoft considers that a contract. This makes the platform much more stable and predictable but allows all sorts of bad behavior to go uncorrected.

Apple leverages lots of open source projects to provide the middleware on their platform; granted they sometimes leverage quite old versions of open source projects. Microsoft is committed to in-house development of the complete system -- you'd never see Microsoft ship OpenSSH, KHTML, or a Ruby interpreter with their operating system, they're much more apt to ship their own tools to accomplish the same things, with all the benefit and risk that entails.

Microsoft is committed to the PC as a platform for computing, and differentiating the "power" of a Real Computer to things like mobile devices or appliances, so they don't countenance things like sandboxes, curated app stores, the principle of least privilege -- they're much more deferential to developers. Apple is happy to impose much tighter restrictions system-level restrictions (in Lion, apps aren't even allowed to traverse the filesystem directly anymore, all of this happens outside the apps address space), and Apple is much less grandiose and much more practical about designing programming environments.

Apple sees the ultimate security of the system as the vendor's responsibility. Microsoft sees the ultimate security of the system as the user's responsibility. Pick your poison.

Like the hopelessly inadequate me-us-world security coarse-grained security which requires proper ACLs to be bolted on top.

Like you cannot set up proper inheritance of security from parent folder, leading admins to design strange processes to wake up and chmod files.

Like the almighty root to rule them all. No separation of duties there. (Windows has proper separation of duties based on privileges. Even admin does not own all privileges, for instance the admin *cannot* write to or clear the security log).

Like the UNIX idea of a "token" which are just UIDs hard-wired to user accounts. (Windows has *real* process tokens which can be manipulated per process, e.g. stripping certain privileges from a process even if it runs under an admin account).

Windows security design is not perfect, but it is a god deal better designed and more capable than the "UNIX proven design". Why do you think SELinux was developed by the NSA? Because Linux with its "proven design" was woefully inadequate for government work - a task for which Windows is certified but only few Linuxes - those with SELinux).

We keep hearing about this "superior" Unix security design. But it is always referred to in the abstract with no details. Maybe it is some magical fairy or Apple dust?

Yes, a good admin can lock down a Linux with apparmor or SELinux pretty tight. Both apparmor and SELinus are solutions which compensates for the initial inadequate design.

restaM is a security teacher. restaM is Master written backwards. To learn from a restaM you do everything the opposite way. If they do A you do !A. If they advice you to do B you do !B. This is how Apple can learn from Microsoft the security lessons. oops sorry. snossel !

Given that Apple have now revealed themselves to be every bit as evil as Microsoft (as opposed to just wanna-be evil, as the more perceptive of you will have known for at least the past decade) it's not surprising that these two scum-infested megacorps are now talking.

Apple is still on safe due to obscurity, the corporate world almost strictly uses MS, while Apple has grown its user base in recent years, they have not touched the corporate market. Anyone will attempt to go after corporate before personal users because the reward is greater. MacOS is still the most vulnerable OS on the market. Yes, you can lock it down changing a lot of settings, but you can do additional configuring on Linux and Windows machines. MacOS doesn't lose Pwn2Own the quickest every year for no

In the 2008 contest, a successful exploit of Safari caused Mac OS X to be the first OS to fall in a hacking competition. Participants competed to find a way to read the contents of a file located on the user's desktop, in one of three operating systems: Mac OS X Leopard, Windows Vista SP1, and Ubuntu 7.10. On the second day of the contest, when the rules were loosened and allowed attack surfaces expanded to include Web browsers, Charlie Miller compromised Mac OS X through an unpatched vulnerability of the PCRE library used by Safari.[4] Miller had been aware of the flaw prior to the beginning of the conference and worked to exploit it unannounced.[4] The exploited vulnerability was patched in Safari 3.1.1, among other flaws.[7] At the end of the contest, only the Ubuntu system remained unexploited.

Three years ago is forever in security terms. "Pwn2Own doesn't test Linux," in present tense, is a true statement; and knowing the relative vulnerability of Leopard, Vista, and Ubuntu 7 tells you next to nothing about how Lion, Windows 7, and Ubuntu 11 stack up against each other today.

Actually, the last time Ubuntu was in Pwn2Own (2008), it was the only system that didn't get pwned. Oh, and see those Androids listed under Mobile Phones? That's Linux too. (Cue flame about Android not being Linux...)

"Anyone will attempt to go after corporate before personal users because the reward is greater."

What? Most infections are aimed at creating bot nets and the payoff is WAY higher outside of corporations. They usually monitor traffic and are pretty good at cleaning up infected machines. Home users? Not so much.

Marketshare was a reasonable argument when Apple had 2% and shrinking. Now that they've got 10%+ and growing, it doesn't hold so much water. Not to mention that Darwin runs zillions of iPads and i

From Ars, "In Lion, the sandbox security model has been greatly enhanced, and Apple is finally promoting it for use by third-party applications. A sandboxed application must now include a list of "entitlements" describing exactly what resources it needs in order to do its job."

Then there's privilege separation, which breaks up a complex application into individual processes, each of which requires only the few entitlements necessary to perform a specific subset of the application's total capabilities. Video

From Ars, "In Lion, the sandbox security model has been greatly enhanced, and Apple is finally promoting it for use by third-party applications. A sandboxed application must now include a list of "entitlements" describing exactly what resources it needs in order to do its job."

Then there's privilege separation, which breaks up a complex application into individual processes, each of which requires only the few entitlements necessary to perform a specific subset of the application's total capabilities. Video decoding, PDF decoding, and HTML decoding are already handled this way in Lion. (Not to mention sandboxing Flash into it's own tiny little world.)

Windows doesn't have such fine-grained security controls (as least not to my knowledge), but there is a public API that a process can use to lower its privileges. IE is actually one of the programs that uses it.

The problem is, most programs (including things like Firefox) don't use this lower privilege mode.

Well, if he's going to be named after a Microsoft product, at least, for the most part, Windows is generally successful. Apple never would've hired him if he was named after Microsoft Bob,. . . We all know that Bobs don't make good consultants [imdb.com],. ..

Look at MS as been aggressive at fixing things since XP, even providing free security software. Also look at end users MS has been for most part educating end users that they have to do preventive measures to keep their computers safe. Mac users generally think their OS is safe right outta the fox. I know i will be called a troll for saying this but its a fact and Leo Laporte for people who know who that is pretty much said that and yes he uses mac most the time.

No Operating System is secure right out of the box. At least with Linix/Unix there is a huge difference between the System admin and an ordinary user and it is fairly common for most people who use *nix (this include Apple's OS) to login as a normal user. Were MS Windows differ's is the fact that most people grant themselves System admin privilege right out of the box and that makes a MS Windows OS less secure then a *nix OS. Any user who is logged into a *nix machine as a system admin for non system admin

Considering the phenomenal market share Windows holds in the computer usage domain, no doubt there will be problems. Regardless of whether or not the Windows security model you speak of is broken or not, Its security problems are there for Apple to observe.

Considering the phenomenal market share Windows holds in the computer usage domain, no doubt there will be problems.

NO.

Ex: Apache, the most popular and very secure web server.

Regardless of whether or not the Windows security model you speak of is broken or not, Its security problems are there for Apple to observe.

There is nothing to learn there. Windows "security" consist of kludges built on top of unworkable model -- it's best when it is least consistent. Apple just has to consistently use security model it already has.

Apache is not the most popular web server in the way you suggest. More websites are hosted on Apache than anything else, but that doesn't translate to more apache servers than anything else. Windows web servers tend to be run by corporations, and as such tend to have only a small number of sites on them. Apache tends to be run by ISP's, and other hosting companies who put large numbers of sites on them.

Website != server

By the way, Apache runs on Windows as well. And it's used quite a bit actually, parti

So what should Helly (sic) Kitty Screen Saver do as an alternative then? I suppose it could split up the program into two separate processes running with different credentials, just like other programs do to avoid UACs.

But how is some badly written third party software a symptom of a broken security model?

But how is some badly written third party software a symptom of a broken security model?

Because Microsoft has encouraged such behaviour in the past ('sure, feel free to write any old crap in the program files tree'), and now continues to support it so as not to break those badly written applications.

And because UAC messages are absolutely useless in most cases. The most common one seems to be 'Access Hard Disk'. What does that mean? Is it trying to write a config file to its own directory or install a rootkit? How am I supposed to tell?

Because Microsoft has encouraged such behaviour in the past ('sure, feel free to write any old crap in the program files tree') and now continues to support it so as not to break those badly written applications.

That is incorrect. To get Windows certification you had to save your settings under the user's profile. Doing this lets software run under limited user accounts and allowed for roaming profiles so users could login on any workstation and have their configuration follow them.

Since Windows NT 3.1, Microsoft have proper permissions system so you did not have to run as Administrator. In all the API documentation they told developers what they had to do to work correctly. Unfortunately because Windows 9x was the

Since Windows NT 3.1, Microsoft have proper permissions system so you did not have to run as Administrator. In all the API documentation they told developers what they had to do to work correctly. Unfortunately because Windows 9x was the more popular OS developers could ignore Microsoft's pleas.

Never seen an "Access Hard disk" prompt. Then again, I skipped Vista completely. Almost changed to using Ubuntu on my desktop, but then I actually enjoyed using 7. Now using OpenSUSE in a virtual machine for my Linux needs.

UAC doesn't automatically pop up in response to the program trying to do something. UAC pops up because the program specifically told Windows "I need to elevate" - there's no facility for it to tell Windows WHY. Perhaps there should be, but that's why it can't do it now.

There should never be such a question in the first place. If "Deny" is not the only possible answer, security model is broken.

Please note that Microsoft imitated Unix/Linux sudo (and PolicyKit) prompt, that serves a completely different purpose there -- ask a user to confirm that he really intends to perform a system administration task. Untrusted software can't trigger those things in the first place.

There should never be such a question in the first place. If "Deny" is not the only possible answer, security model is broken.

I disagree. Any security model that makes things that hard to use would fail in the broader community because people would just turn it off. Look at how many people disabled UACs now because they seemed annoying. Imagine how many people would just run as Administrator all the time if it seemed impossible (and not merely annoying) to use all your old software under your proposed security model.

Actually, you do not have to imagine. You just need to look at Windows 2000 or XP for that exact user experience. Ho

Let's see... The NT family of Windows has full security infrastructure based on user accounts and access privileges. However, that security infrastructure was completely turned off by default when Microsoft decided to merge the WinDOS family into Windows XP so that you could run legacy WinDOS software and software written by idiots without any additional setup. And now, starting with Vista, we've got yet another security infrustructure built on top of the first one which is supposed to emulate access restri

And now, starting with Vista, we've got yet another security infrustructure built on top of the first one which is supposed to emulate access restrictions inside otherwise unrestricted administrator account

You're confused. That is not how UAC works, at all. The underlying security system is the same that has always been in NT OS family - changed are the defaults (no longer root by default), and UAC is really nothing more than sudo.

UAC is not much like sudo since it is not a security feature. It is not supposed to stop bad software doing bad things (since it can't, it's trivial to bypass), it's supposed to let users know that good software is doing system-level things.

UAC is a security feature. The article you have linked to describes the consequences of a bad (insecure) default configuration of said feature. UAC will still be active and do checks and elevate processes as required - it will just use the whitelist to suppress elevation prompts for specific processes. But process security still remains in full force, it's not all smoke and mirrors.

Even the article itself correctly states that, if you move the UAC slider to its highest setting (which is what it was in Vista

The whitelist trick is just one of many mostly unfixable holes in Windows that make win7 UAC in default mode trivial to bypass. As you say, pushing the slider to maximum gets you Vista-level security: better but still not secure. You need a separate admin account to get something close to sudo.

As vendors make their software more UAC friendly, MS will eventually be able to

Can you give an example of how to circumvent UAC with slider on maximum and an "admin" account? (i.e. no password entered in UAC prompt, just OK/Cancel).

The reason why sudo asks for a password (even for user's password, like in Ubuntu by default) is to prevent input injection attacks. UAC doesn't do that because it relies on an OS mechanism to prevent input injection (isolated desktop). I'm not aware of any known ways to exploit this. Hence I'm claiming that UAC in this mode is exactly as secure as sudo is

The elevations people usually cite involve cases where things can be written by an unprivileged process which are then used by an elevated process. For example, there are various registry keys which a low-priv process can write which are executed by an elevating command prompt. The Ubuntu equivalent would be appending "alias sudo/my/sneaky/attack" to someone's.bashrc. Though this Windows once is a little worse since you can't (as far as I know) as a user inject things into gtk-sudo, which would be the mai

And NT never supported completely turning off it's security infrastructure, let along did so by default (sure, there was the Administrator default that made it mostly ineffective, but that has been always the case in the NT family before and never was new).

Well, what do you call forcing the user to always work with administrator privileges because Microsoft didn't have balls to stand up to idiot developers 10 years ago? I call it throwing the whole security infrastructure out of the window.

"Mostly fixed"? Excuse me, but which company just recently made a big ugly hack to at least partially patch the huge security hole caused by stupidity of third-party software vendors whose software without any good reason requires administrator privileges to run?

Exploitable bugs are one thing. Building complete security infrastructure and then basically throwing it out the window and building another much weaker and completely superfluous one on top of it is quite another.

Ubuntu works better than windows on desktops. It's more secure, it's free, doesn't need a virus scanner because it's designed properly, and it comes with bucket loads of great software at no extra charge.

But if you like expensive, slow, and bug ridden OS's that team with viruses feel free to use windows. It's totally up to you.

Buffer overflow was a 1960s problem.The software industry in general has a very short attention span but Microsoft really dropped the ball on that and many others where they could learn from the mistakes of the past. People are generally pissed off when they see something for sale that obviously has very little in the way of QC and large flaws in the design. The Zune leap year bug is another example of not taking the time to test for the completely and utterly fucking obvious.People shake their heads beca